ENISA provides a single framework addressing the security measures covering technical and organizational measures applicable by the EU regulation on electronic communications, namely Article 13a of the Telecom Framework Directive and Article 4 of the ePrivacy Directive. The legislation requires Member States to ensure that telecom providers protect the security of their networks and services (Article 13a and Article 4), and the security of personal data processing (Article 4).

The joint framework is intended as a tool for authorities supervising the electronic communications sector in accordance with Article 13a and Article 4. The benefits from the development of this single framework are two-fold:

The framework contains 26 high-level security objectives, grouped in 7 domains. Each security objective is marked to indicate relevance for Article 13a and/or Article 4. For every security objective detailed security measures are listed as well as evidence that measures are applied. To highlight the fact that one size does not fit all, measures are grouped in 3 sophistication levels: basic, industry-standard, state-of-the-art.

Staffan Lindmark, Deputy Head of Section at the Swedish Post and Telecom Authority and member of ENISA’s expert group of Telecom Regulators, said on the initiative: “Access to dependable electronic communications is vital in today’s society. Together, Article 13a and Article 4 form a comprehensive network and information security regulation for the telecom sector, which aims to ensure that users are provided with services that are reliable, and that the vast amount of data that is being transferred across the communications networks every day, is sufficiently protected. The joint framework developed by ENISA enables competent authorities to apply these rules in a consistent way across Europe.”

ENISA’s Executive Director, Udo Helmbrecht commented on the project: “Security is a complex topic with a top priority for the EU. We have to avoid overlaps and inconsistencies between different laws. Experts from national authorities highlight there is roughly an 80 % overlap in the security measures that the telecom providers need to take to protect the security of networks and services, and the processing of personal data. ENISA acts as a liaison among the telecom regulators, the data protection authorities and the providers with the goal to assist Member States in implementing the legislation effectively and cost-efficiently.”

The framework was developed with input from a group of experts from competent national authorities (NRAs and DPAs), based on earlier experience and discussions about how to supervise Article 13a and Article 4. The report follows the ENISA Article 13a guideline on security measures and subsumes the technical and organisational measures addressed in the ENISA Recommendations for technical implementation of Article 4 (Section 5.2). ENISA will continue its work together with the national authorities across the EU and provide support in the supervision of security measures in the telecom sector.